Technical resources. OneClickSSL. WHM/cPanel Plug-in (Remote Administration Agent)

(1)

OneClickSSL™

WHM/cPanel Plug-in

(Remote Administration Agent)

(2)

Page 2 of 25 OneClickSSL™ cPanel Plugin (RAA) – Installation and SSL Certificate Application Guide

Introduction

... 3

Vouchers ... 3

Before you begin

... 4

OneClickSSL™ Requirements ... 4

Installation ... 5

Uninstall ... 5

Plugin Version History ... 5

An overview of the OneClickSSL System ... 6

OneClickSSL™ for WHM - Functionality ... 7

OneClickSSL™ for WHM – certificate installation... 10

OneClickSSL™ for cPanel – certificate installation ... 11

Troubleshooting

... 13

Being caught for phishing

... 15

DNS Errors ... 15

Revocation – Errors when entering serial numbers ... 16

Plug-in API ... 17

cPanel redeemVoucher Request ... 17

WHM redeemVoucher Request ... 18

Successful Response ... 19

Failure Example ... 19

cPanel Example - PHP... 20

WHM Example - Perl ... 21

About GlobalSign ... 25

(3)

INTRODUCTION

GlobalSign’s OneClickSSL is a fast and efficient SSL certificate lifecycle delivery mechanism. Using a patented domain ownership verification system, OneClickSSL is able to provide a fully operational SSL certificate within 30-50 seconds. Traditional processes for SSL security can be tedious. Completing the necessary steps requires knowledge of cryptography and recognition of terminology such as keysize; algorithm, CSR (Certificate Signing Request) and Intermediate Certificate Authorities (aka CA Bundle). It also relies on the ability to receive challenge-response email communications from an SSL vendor and processing the necessary steps to install the SSL Certificate requires patience and technical know-how. With the introduction of OneClickSSL, SSL Certificate provisioning can be fully automated, making server security easily accessible to organizations of all sizes. This process is quick and easy and the automated nature of the installations relieves the woes of spending hours troubleshooting the installation, thereby reducing support costs and increasing profit for all stakeholders in the delivery chain. OneClickSSL is based on multi-factor authentication techniques, hence providing the highest security levels, whilst also enabling administrators to manage the entire SSL lifecycle with practically zero training. The only item necessary to understand is the voucher.

VOUCHERS

Vouchers are redeemed for SSL certificates. They are available either directly from GlobalSign’s website through a GlobalSign Certificate Centre (GCC) Account or from a GlobalSign Partner who may also be providing hosting services for your web site/server. Appropriate links are embedded within the control panel to obtain trial vouchers or full versions. Just click on the ‘No Voucher’ ICON.

Trial Vouchers Site Vouchers Super Vouchers Monthly Vouchers

 Trial Vouchers are usually free trials and are between 5-90 days

 Full Site Vouchers are delivered on a per domain basis allowing additional features (Wildcards, SANs, Organizational Information, mixed FQDNs, Unified communications etc.)

 Super Vouchers are 3 months to 3 years and available via reseller partners and will usually be tied in to a hosting program with specific IP address ranges or specific control panels.

 Monthly Vouchers use the RAA (Remote Administration Agent) function integrated into the plug-in to automatically install SSL certificates on to the web site every month – i.e. no renewal workload.

(4)

BEFORE YOU BEGIN

The OneClickSSL™ plug-in may be installed by following the instructions below. If you have any existing certificates installed then it is recommended to back these up before you begin.All temporary files will be cleaned after the install is completed and an unsuccessful install should return the system back to its original configuration. Note: It is recommended that you are familiar with the general set-up of your WHM/cPanel and its configuration options and also the DNS (Domain Name Server) by which the webserver is named.

BEFORE YOU START, Please make sure you can answer YES to all these questions:

 Your domain is registered with a Domain Name Registrar and can be located with a simple PING test (or equivalent). In order to install SSL certificates the domain must be on a single dedicated IP address.

o You must have an ‘A’ or ‘CNAME’ record registered in DNS

 Your domain is assigned a dedicated IP address (this is required for a successful SSL handshake)

 You have a Voucher from GlobalSign or one of its partners.

 Your WHM/cPanel has the desired domain available to you to control.

 You have Port 443 (or a custom alternative) open on your firewall such that a HTTPS session can be initiated during the install process.

ONECLICKSSL™ REQUIREMENTS

 WHM/cPanel Server v11.25.1+

 The OneClickSSL .sea (self extracting archive) installer for WHM/cPanel is available here:-

(5)

INSTALLATION

1. To install, copy the cpanel-plugin (.sea) to the root directory of your WHM/cPanel server using wget from the root.

wget www.globalsign.com/downloads/oneclickssl/cpanel/GlobalSign-OneClickSSL-cPanel-Plugin-X.X.sea

2. Run these commands as root:

chmod +x GlobalSign-OneClickSSL-cPanel-Plugin-X.X.sea ./GlobalSign-OneClickSSL-cPanel-Plugin-X.X.sea

UNINSTALL

1. To uninstall:

The uninstall file is located:

/usr/local/cpanel/scripts/

To uninstall, navigate to the directory above and

run these commands as root: chmod +x GlobalSign-Uninstall

./GlobalSign-Uninstall

Note! Administrators, you may require SSH access to your server to run these commands.

PLUGIN VERSION HISTORY

To track version updates and current version, we’ve provided a JSON resource at:

https://www.globalsign.com/downloads/oneclickssl/cpanel/cpanel-version-updates.json

This resource lists the available versions and the change log details

(6)

AN OVERVIEW OF THE ONECLICKSSL SYSTEM

This section provides a simplistic overview of the architecture and will help resellers, hosting providers and domain owners understand the relationships between the various parties that the plug-in supports. Any of the voucher types can be used an the End Customer/Domain owner to allow an SSL certificate to be installed. The voucher can be requested via the Partner or directly from GlobalSign. Installation by the end customer initiates the voucher redemption process, effectively exchanging the voucher for an SSL certificate to provide SSL functionality on the web server. The complete process takes between 30 and 50 seconds.

Hosting providers have the ability to ‘push’ SSL certificates onto end customer’s domains as a value added service. This is achieved through the WHM administration console, and is primarily design to support ‘Super Vouchers’. Super vouchers have the ability to be constrained by GlobalSign to a specific IP Address, or range of IP Addresses. This protects each of the stakeholders in the process by ensuring that only approved vouchers are used/installed protecting business relationships and allowing hosting providers to ‘bundle’ SSL certificates with their hosting package without fear that the Super voucher could be used within a competitors infrastructure. Monthly vouchers install SSL certificates via

the RAA (Remote Administration Agent) function built into the end customer’s control panel. If RAA is enabled then following a successful bootstrapping installation of an initial certificate, additional short duration certificates may be pushed onto the system by GlobalSign’s system at regular intervals. During the install process the user name of the cPanel owner is archived by

GlobalSign’s system to ensure future certificates can be installed. This feature is described in more detail later on in this user guide.

(7)

ONECLICKSSL™ FOR WHM - FUNCTIONALITY

To navigate to your newly installed OneClickSSL™ for WHM, click on the GlobalSign OneClickSSL™ from the Plugins icon group:

Alternatively you can use the find tool in WHM typing “onecl” or “onecli” etc to locate the plug-in.

The

‘Redeem Vouchers’ menu offers the ability to select the appropriate web site to secure,

as well as input boxes for the voucher itself and an e-mail address for notification of a

successful installation or how to upgrade/renew as appropriate. In the event of an error,

details will be sent to this e-mail address to aid debugging activities. There is also a link to

the GlobalSign web site to purchase vouchers.

Please note that as a WHM (Root) user, all web sites are available to you in the selection

box, meaning as an administrator you can ‘push’ a certificate down to cPanel users who host

domains on your system as a service. Please note that GlobalSign offers a www & a non

www version of the domain name within the delivered certificate so all domain naming

options should work correctly.

(8)

The

‘Hostname Vouchers’ menu (illustrated on the next screen) offers the ability to install a

OneClickSSL certificate for the hostname of your cPanel/WHM instance. The domain is set

& determined by the hostname you’ve chosen to operate your WHM instance (configuration

set in Networking Setup>Change Hostname). The voucher and email address are the same

as from the Redeem Vouchers tab.

The

‘Advanced Reseller Options’ menu (illustrated on the next screen) offers you the

ability to join one of the GlobalSign reseller programs, but also provides a way to customize

the landing page URL of the ‘No Voucher’ icon for your hosted customers. Traffic can be

directed to your site to sell vouchers and services associated with OneClickSSL. Once you

have modified the URL you may select ‘Save Changes’ button.

(9)

Finally, there’s a ‘Configure Automatic Updates’ menu which allows you to customize the update frequency to your specific needs. If you look at this page in the future then the current/latest version information is important to see if there have been any updates to the plug-in since you installed it.

(10)

ONECLICKSSL™ FOR WHM – CERTIFICATE INSTALLATION

Once your click ‘Activate SSL’ in the redeem vouchers menu, the system will begin to process using web services technology. Each of the significant steps is highlighted with a green check mark as the plug-in runs through the application and installation process.

A successful install.

A failure, showing

detail about why

it failed.

(11)

ONECLICKSSL™ FOR CPANEL – CERTIFICATE INSTALLATION

Domain Owners logging into cPanel will see the following screen. The plug-in can be called

from the ‘Security’ menu by clicking on the ‘GlobalSign OneClickSSL Installer’

The redeem vouchers menu offers the same look and feel as the WHM screen, with the

exception of the number of web sites. A domain owner can only see his own web site. The

‘No Voucher icon will direct domain owners to the URL configured by the WHM administrator

(12)

The

‘Advanced SSL Options’ menu provides the ability to allow or disallow Remote

Administration. (RAA) is performed on a per user basis, so if you have multiple web sites

secured within a single user area then all of them will support RAA if you enable this option.

RAA must be enabled if you wish to support automatic renewals, monthly installation of

certificates or future lifecycle options.

Revocation of certificates is also possible for domain owners through the advanced menu.

Please note that revocation is a way to permanently identify an individual certificate on a

blacklist as ‘bad’ . Browsers will use information embedded within certificates to validate that

they are still ‘good’, so please do not revoke by mistake. (A warning will be presented once

the revoke SSL button is pressed.

Depending on your browser (Google Chrome identifies the currently installed certificate in

Green), select the certificate that you wish to revoke. Please note that a ‘complete’ history

is presented in the pull down, including past certificates installed and certificates, which have

since expired. This is useful for audit purposes. If you wish to revoke a certificate then you

will need to enter it’s serial number into the box as confirmation of intent.

(13)

TROUBLESHOOTING

INSTALLATION OR OTHER GENERAL ERRORS

The variation of cPanel/WHM deployment environments sometimes causes the installer to believe a Perl Module dependency was installed, but in actuality was not.

If a Perl Module is missing, the manifest of the error varies in the GUI, but can be seen better in the log. In the GUI these errors can be seen during redemption as shown below. Note there is no error code, this usually indicates a plugin installation/configuration issue:

To diagnose, a redemption error try viewing the error log while running the redemption process > tail -f /usr/local/cpanel/logs/error_log

If there are any lines generated containing text similar to Can't locate XXX/YYYYYY.pm in @INC…

Then this likely indicates that the Perl Module contained in

XXXX/YYYYY.pm

was not able to be installed by the plugin and will need to be installed manually. If there is one Perl Module that failed, then it’s possible that there may be multiple Perl modules which failed during installation, so look through the log to see if there are different instances listed.

There are two options for manually installing perl modules.

Method 1 – via WHM GUI (easier & preferred)

Ie if : “Can't locate WWW/FieldValidator.pm in @INC” was found in error log Then try installing the perl modules via WHM menu item: Software>Install a Perl Module

Enter the missing Perl Module name in the text box and click Install Now. A text output & status of the installation process will be shown and indicate success or failure.

(14)

Method 2 – via Command Line (sometimes indicates success, but modules aren’t actually

installed or usable by WHM)

Alternatively to the GUI installation, the Perl Modules can be run via

If any failures occur, then the user will need to run the install manually by running "/scripts/perlinstaller XXXX::YYYYY "

For example in the example above, the user needed to manually run the following:

>/scripts/perlinstaller WWW::FieldValidator The list of all required perl modules:

Config::Crontab Date::Simple Digest::MD5 HTTP::Request::Common IO::Handle IPC::Open3 JSON::Syck LWP::UserAgent Mozilla::CA Template XML::Simple YAML::Syck

If after installing a Perl Module, you still have failures, have a look at the log again and see if

there are any other a Perl Modules which the installer had difficulties with. You can identify

them like the highlighted one below:

Internal Server Error: "GET /cpsess6640894568/cgi/addon_globalsign.cgi HTTP/1.1" 500 No response from subprocess

(/usr/local/cpanel/whostmgr/docroot/cgi/addon_globalsign.cgi) with exit signal: 2 Can't locate SOAP/Lite.pm in @INC (@INC contains: /usr/local/cpanel

/usr/local/cpanel /usr/local/cpanel /usr/local/cpanel

/usr/local/lib/perl5/5.8.8/x86_64-linux /usr/local/lib/perl5/5.8.8 /usr/local/lib/perl5/site_perl/5.8.8/x86_64-linux

/usr/local/lib/perl5/site_perl/5.8.8 /usr/local/lib/perl5/site_perl .) at /usr/local/cpanel/Cpanel/GlobalSign/Models/Config.pm line 11.

BEGIN failed--compilation aborted at

(15)

BEING CAUGHT FOR PHISHING

In some cases where an SSL Certificate is requested for a domain with suspicious keywords, such as ‘Bank’ or ‘Microsoft’, the request can be halted for security reasons. This is called being caught for ‘Phishing’. The GlobalSign OneClickSSL™ Plugin for WHM/cPanel has a built-in phishing check at the beginning of the voucher verification phase. In the event the domain you have requested a Certificate for gets caught for phishing, you will receive an email notifying you and the order will be delayed until the vetting team can manually review the requested domain. If you require immediate resolution please contact the GlobalSign support team with your Voucher and domain name.

DNS ERRORS

In the event you are presented with a DNS-related error during the OneClickSSL order process, there are several potential issues that need to be addressed. If your domain is a new entry in the DNS system then please allow 24 hours after its creation to propagate and clear. If your domain has existed for more than 24 hours, try a PING request to your domain and check that it resolves.

Also you will need to confirm that the ‘A’ or ‘CNAME’ records are defined for the domain in DNS. If these are not defined, then the process will fail.

(16)

REVOCATION – ERRORS WHEN ENTERING SERIAL NUMBERS

cPanel users should note, when attempting to revoke, that great care needs to be taken in selecting the correct serial number of the Certificate you wish to revoke and check this against the Certificate beforehand. In the event you are presented with an error for a non-existent serial number, double-check the serial number again and ensure the serial number was formatted correctly e.g. 0100011617904c9e instead of 01 00 01 16 17 90 4c 9e.

(17)

PLUG-IN API

The GlobalSign OneClickSSL plugin for cPanel & WHM has an API exposed to allow

programmatically installing certificates for your users. This can be used to automate the installation process from a custom billing or backend system.

Note that running these requests from the same Apache instance that you’re installing the SSL certificate on can be problematic, as the process requires Apache to be restarted and will disconnect the connection.

You have a few options for how the API is called to initiate redemption, but the formats are described below. When you run the redeemVoucher call, it performs the complete process (so it can take ~30 seconds for a response). You can test this on your system with the voucher code 5daytrialDV or any other voucher code you have.

CPANEL REDEEMVOUCHER

REQUEST

https://XXXX:2083/xml-api/cpanel?cpanel_xmlapi_module=GlobalSign&cpanel_xmlapi_func=redeemVouche

r&cpanel_xmlapi_user=UUUU&domain=XXXX&voucher=VVVV&email=EEEE

Where:

XXXX = Domain being secured

UUUU= cPanel User (cannot be root)

VVVV=Voucher code (single site or super)

EEEE= Email for renewal notices

Authentication can be done with either UUUU user (note: root doesn’t have a cPanel account, so can’t be used in this request) in any of the ways that the cPanel API does:

using basic authentication - user:pass using accesshash - whm user:accesshash More info here:

(18)

WHM REDEEMVOUCHER REQUEST

Alternatively the API call can be made through WHM & authenticated with the root user. The only difference here is the port used for authentication

https://whmhostname:2087/xml-api/cpanel?cpanel_xmlapi_module=GlobalSign&cpanel_xmlapi_func=redeemVouche

r&cpanel_xmlapi_user=UUUU&domain=XXXX&voucher=VVVV&email=EEEE

Where:

XXXX = Domain being secured

UUUU= cPanel User (cannot be root)

VVVV=Voucher code (single site or super)

EEEE= Email for renewal notices

Authentication can be done with 'root' or another account with WHM access in any of the ways that the cPanel API does:

using basic authentication - user:pass

using accesshash - whm user:accesshash

More info here:

(19)

SUCCESSFUL RESPONSE

<?xml version="1.0" ?>

<cpanelresult>

<apiversion>2</apiversion>

<data>

<domainInfo>

<IP>67.225.232.153</IP>

<IsDedicated>1</IsDedicated>

</domainInfo>

<errors>

<installError></installError>

<installInfo></installInfo>

</errors>

<message>SSL Certificate installed for

cpanel1.oneclickssldemo1.co.uk</message>

<success>1</success>

</data>

<event>

<result>1</result>

</event>

<func>redeemVoucher</func>

<module>GlobalSign</module>

</cpanelresult>

FAILURE EXAMPLE

<?xml version="1.0" ?>

<cpanelresult>

<error>Access denied</error>

<data>

<result>0</result>

<reason>Access denied</reason>

</data>

</cpanelresult>

(20)

CPANEL EXAMPLE - PHP

<?php

$whmusername = "cpaneluser";

$whmpassword = "password123";

"https://whmhostname.com:2083/xml-api/cpanel?cpanel_xmlapi_module=GlobalSign&cpanel_xmlapi_func=redeemVouche

r&cpanel_xmlapi_user=cpaneluser&domain=domainbeingsecured.com&voucher=5day

trialDV&[email protected]";

$curl = curl_init();

curl_setopt($curl, CURLOPT_TIMEOUT, 180);

# Create Curl Object

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST,0);

# Allow certs that do not match the domain

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER,0);

print $query;

# Allow self-signed certs

curl_setopt($curl, CURLOPT_RETURNTRANSFER,1);

# Return contents of transfer on curl_exec

$header[0] = "Authorization: Basic " .

base64_encode($whmusername.":".$whmpassword) . "\n\r";

# Remove newlines from the hash

curl_setopt($curl,CURLOPT_HTTPHEADER,$header);

# Set curl header

curl_setopt($curl, CURLOPT_URL, $query);

# Set your URL

$result = curl_exec($curl);

# Execute Query, assign to $result

if ($result == false) {

error_log("curl_exec threw error \"" . curl_error($curl) . "\" for

$query");

}

curl_close($curl);

print $result;

?>

(21)

WHM EXAMPLE - PERL

!/usr/bin/perl

use strict;

use LWP::UserAgent;

use MIME::Base64;

BEGIN { $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0 }

my $user = "username";

my $pass = "password123";

my $auth = "Basic " . MIME::Base64::encode( $user . ":" . $pass );

print $auth;

my $ua = LWP::UserAgent->new;

my $request =

HTTP::Request->new( GET =>

'https://domain.com:2087/xml-api/cpanel?cpanel_xmlapi_module=GlobalSign&cpanel_xmlapi_func=redeemVouche

r&cpanel_xmlapi_user=root&domain=domainbeingsecured&voucher=5daytrialDV&em

[email protected]' );

$request->header( Authorization => $auth );

my $response = $ua->request($request);

print $response->content;

(22)

ONECLICKSSL™ ERROR MESSAGES

ErrorCode Error Description Returned Resolution

-1

Undocumented or unexpected system error (Detailed information is not currently available). Please retry and if the issue persists contact support with detailed information concerning the issue.

This error description is currently a bug. The error is supposed to indicate that there is a DNS record. Please confirm that your domain has an ‘A’ record or ‘CNAME’ record associated with it in DNS.

-101 Invalid parameter entered. Please check the parameters match the API specification.

Please check that you have correctly typed all the parameters. Use debug mode to see if any other information is presented.

-102 Mandatory parameter missing. Please check the parameters match the API specification.

If you have a ‘Super Voucher’ or a ‘Trial Voucher’ then an email address is mandatory with the ‘voucheroption’ switch

-103 Parameter length check error. Please check the parameters match the API specification.

-104 Parameter format check error. Please check the parameters match the API specification.

-105 Invalid parameter combination. Please check the parameters match the API specification.

-3008

We have been unable to connect to your web server to validate the presence of the Temporary SSL certificate. Please ensure your firewall settings allow an external https connection to be established on the default port 443 or the custom port you may have selected.

Please ensure that your domain can be queried from the ‘public’ Internet on the port you have chosen. You may need to check from outside your internal network.

-3012

We have been unable to validate your domain through a Domain Name Search. Please verify that your domain is registered correctly via your Domain Management Registrar.

-3013

Failed to obtain your IP Address via a targeted DNS search. Please verify that your domain is registered correctly via your Domain

Management Registrar.

-3019

We have been unable to resolve the IP address of your domain through DNS. Please check your domain is correct and can be seen via a PING request or alternative check. If this is a new domain or subdomain it might be that it has not propagated to the Root DNS server. These checks help to avoid the possibility of DNS Poisoning issues. Please try again later.

-5001

The domain has been flagged as either

containing a suspicious word or phrase, or it may have triggered a hit on our Phishing database search. It will not be possible to proceed without clearing this issue so please contact your support team directly to resolve the problem. Please have the domain name and Voucher ID available for our support team.

Domain Validated certificates need to be carefully controlled as issuance to a web site purporting to be a brand owner when they are not may be cause for concern. If your domain contains keywords or has been identified as a possible ‘phishing web site’ then you will need to contact your support team. An e-mail will be sent to the appropriate contact person who made the request.

(23)

-6001

Certificate Signing Request parsing error. Please retry and if the issue persists then contact support with detailed information concerning the issue.

There is a potential issue with CSR generation on your platform. It may not be possible to continue. Please contact your support team to resolve the issue.

-6007

System Error (The Public Key of the certificate has been used previously – Duplicates are not allowed). Please retry and if the issue persists then contact support with detailed information concerning the issue.

It’s unlikely, but possible, that your Public Key has been used by another entity. It is recommended to re generate the key again. Please run the process from the beginning which will do this.

-6019

System Error (The Certifiacte Distinguished Name (DN) exceeds 1024 bytes). Please retry and if the issue persists then contact support with detailed information concerning the issue.

If you have an extremely long domain name you may have exceeded the allowable size of the DN. Please contact GlobalSign directly to talk about alternative options to move forward.

-6029

System Error (The Certificate has already been revoked). Please retry and if the issue persists then contact support with detailed information concerning the issue.

Please check that you have entered the correct S/N as it looks like the certificate has already been revoked. You can obtain the CRL location from the certificate and view the CRL to see if the S/N is included. Please not the format in Windows is in S/N order -9001 The Voucher you have entered does not exist.

Please check and try again.

Please verify that the voucher is correct. It may contain O’s (oh’s) and 0’s (zeros) so please verify these are correct.

-9002

We are unable to verify the presence of the Temporary certificate on your domain. Possible time out issue. Please retry and if the issue happens again contact support.

We can’t connect to your domain. We allow 3 minutes to check for the presence of the Temporary certificate. Please check that it is viewable via the public Internet. You can see using the debug option that the certificate has been installed.

-9003

The Domain which you have requested does not match the Common Name (CN) that was

specified during the Voucher application process. Please double check and retry.

If you purchased a Voucher then the confirmation e-mail should highlight the domain that was purchased. Please check that you are using the right domain and the right voucher.

-9004

A Public IP Address cannot be used as a Domain Name with this type of SSL certificate. Please check you have requested the correct certificate type.

You cannot apply for a Public IP address as the primary domain. You need to have an FQDN (Fully Qualified Domain Name) as the principle domain.

-9005 Reissuance using this Voucher is not possible as the underlying certificate has now expired.

Reissuance allows a certificate to be issued again from the same voucher up to and including the same date of expiry as the original certificate. It seems that the original has expired.

-9007

The Serial Number you have requested does not exist. Please check the certificate again and ensure the format is correct with no spaces eg. 0100011617904c9e and not 01 00 01 16 17 90 4c 9e

Be sure to type the serial number correctly. Please open the certificate viewer and check the serial number again.

-9008

It is not possible to Revoke this certificate. It may have expired or it may have already been revoked. Please contact GlobalSign directly for confirmation of the certificate status.

You can examine the certificate and locate the CRL location in the Details view. If you download the CRL you can view it on a per S/N basis to see if your S/N is listed (Please allow up to 3 hours before checking as CRLs) are renewed every three hours.

(24)

and try again. receive this message then please contact the supplier of your Voucher and obtain and updated Voucher.

-9012

In order to prevent a race condition for multiple re-issuances, a limit is placed on the number of re-issuances per day. The Daily limit has been exceeded.

Please wait 24 hours before trying to use this voucher again.

-9016

The domain name within the CSR is different from the Common name (CN) associated with the Voucher. Please verify the domain names are consistent and try again.

Vouchers are sometime tied directly to a domain. If you believe that the domain you have entered is correct then please contact support. Please note that entering

www.domain.com will provide a certificate with www.domain.com & domain.com capabilities, where as domain.com will only provide domain.com capabilities.

-9019

The voucher you are using only allows a certificate to be installed within a specific IP address range. The IP address of this domain is not within the allowed range. Please check with the provider of the voucher.

Vouchers may be tied to a specific IP address range. If you have this error it’s possible that the voucher you are using is for an alternative IP Address. Please contact the provider of your voucher.

-9026

The Voucher you are trying has been cancelled. Please contact support with detailed information concerning the issue.

Please contact the provider of your voucher.

-9028

The Voucher you are using is for a ‘renewal’. Unfortunately the original certificate has either been canceled, revoked or re-issued already, or the expiry date has now passed. Please contact support with detailed information concerning the issue.

-9029

The Voucher you are using is for a ‘’re-issue’. Unfortunately the original certificate has either been canceled, revoked or re-issued already, or the expiry date has now passed. Please contact support with detailed information concerning the issue.

-9910

The credit card associated with the account is invalid and it is not possible to complete the order process. Please verify that the credit card is correct and try again.

Please log in to your account and rectify the problem.

-9911

There is insufficient credit in the account to complete the order process. Please verify that the account has sufficient funds and try again.

-9912

There is an insufficient deposit balance within the account to complete the order process. Please verify that the account has sufficient funds and try again.

-9935

The Country Code within the certificate is for a country that GlobalSign does not support. Please contact support with detailed information

concerning the issue.

Not all countries are supported by

GlobalSign. If you receive this message then unfortunately you cannot install a certificate with this method.

(25)

ABOUT GLOBALSIGN

GlobalSign was one of the first Certification Authorities and has been providing digital credentialing services since 1996. It operates multi-lingual sales and technical support offices in London, Brussels, Boston, Tokyo and Shanghai.

GlobalSign has a rich history of investors, including ING Bank and Vodafone. Now part of a GMO Internet Inc group company - a public company quoted on the prestigious Tokyo Stock Exchange (TSE: 9449) whose shareholders include Yahoo! Japan, Morgan Stanley and Credit Suisse First Boston.

As a leader in public trust services, GlobalSign Certificates are trusted by all popular Browsers, Operating Systems, Devices and Applications and include SSL, Code Signing, Adobe CDS Digital IDs, Email &

Authentication, Enterprise Digital Solutions, internal PKI & Microsoft Certificate Service root signing. It's trusted root CA Certificates are recognized by all operating systems, all major web browsers, web servers, email clients and Internet applications; as well as all mobile devices.

Accredited to the highest standards

As a WebTrust accredited public Certificate Authority, our core solutions allow our thousands of enterprise customers to conduct secure online transactions and data submission, and provide tamper-proof distributable code as well as being able to bind identities to Digital Certificates for S/MIME email encryption and remote two factor authentication, such as SSL VPNs. GlobalSign US & Canada Tel: 1-877-775-4562 www.globalsign.com [email protected] GlobalSign EU Tel: +32 16 891900 www.globalsign.eu [email protected] GlobalSign UK Tel: +44 1622 766766 www.globalsign.co.uk [email protected] GlobalSign FR Tel: +33 1 82 88 01 24 www.globalsign.fr [email protected] GlobalSign DE Tel: +49 30 8878 9310 www.globalsign.de [email protected] GlobalSign NL Tel: +31 20 8908021 www.globalsign.nl [email protected]